[Freeipa-users] Re: Only some AD users returned from lookups
Aha! This (from the domain log) shed some light: (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0400): Processing user slyme...@grinnell.edu (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x1000): Mapping user [slyme...@grinnell.edu] objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to unix ID (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0040): Object SID [S-1-5-21-71189414-1642862984-1097818727-518801] has a RID that is larger than the ldap_idmap_range_size. See the "ID MAPPING" section of sssd-ad(5) for an explanation of how to resolve this issue. (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-71189414-1642862984-1097818727-518801] to a UNIX ID (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user] (0x0020): Failed to save user [slyme...@grinnell.edu] (Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. So it looks as though I have an incorrect ID Range for these AD accounts. I increased the number of IDs in the range for the AD domain and - low and behold, the accounts are now resolving. Thank you for your help! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YJEB7EDCT64LSCDZJJQKS3EHHAEBJ6QL/
[Freeipa-users] Re: Only some AD users returned from lookups
On Wed, Jul 11, 2018 at 09:42:14PM -, Mike Conner via FreeIPA-users wrote: > sssd_nss.log during attempted lookup of slyme...@grinnell.edu account: > https://pastebin.com/gLFnhZ9s This is somewhat helpful, at least this snippet: (Wed Jul 11 16:33:22 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #230: Object [slyme...@grinnell.edu] was not found in cache (Wed Jul 11 16:33:22 2018) [sssd[nss]] [cache_req_search_ncache_add_to_domain] (0x0400): CR #230: Adding [slyme...@grinnell.edu] to negative cache (Wed Jul 11 16:33 Shows the user was not found. The next step are the domain logs. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/34OZGC4AVNSXVSCHBBHELHEZ32TS2YWN/
[Freeipa-users] Re: Only some AD users returned from lookups
sssd_nss.log during attempted lookup of slyme...@grinnell.edu account: https://pastebin.com/gLFnhZ9s ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/G3WQX5GSMLBT53Z4YVX5FRUYYV2CFL6E/
[Freeipa-users] Re: Only some AD users returned from lookups
On Wed, Jul 11, 2018 at 09:07:41PM -, Mike Conner via FreeIPA-users wrote: > No, the lookups fail on both the server and the client. Can you post logs of a failing lookup on the server? You would add debug_level to the [nss] and [domain] section in sssd.conf and run the lookup.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UO52RQMEHKR3R4CZM6QP7NXLZFHV6BRH/
[Freeipa-users] Re: Only some AD users returned from lookups
No, the lookups fail on both the server and the client. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NNJC45H5ADRP4E537FMQPS4LDVWOERPD/
[Freeipa-users] Re: Only some AD users returned from lookups
On Wed, Jul 11, 2018 at 08:36:43PM -, Mike Conner via FreeIPA-users wrote: > I have an issue where i've established the AD trust and am able to lookup > my own account and about 30 others, but all others fail. I've compared > AD attributes across accounts and can't find anything that is notably > different. I've seen messages about making sure that groups can resolve, > but I don't think that's what's happening. I have a user account that only > has one group membership and that group resolves, but the account still > is not returned on a lookup. The only common thread I can find with the > accounts that succeed is that they are older accounts - they were created > a long time ago - more recently created accounts fail. Where can I look > to see what might be happening? Are the users resolvable on the IPA server at least or do the lookups fail on both the server an the client? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CHWMI7ZCMZ2BY2U3M44OYPC26UOVKSCW/